Medicare Compliance & Reimbursement

Honesty really is the best policy.

Government enforcement efforts under the False Claims Act are accelerating post-COVID, rising from $3.1 billion in 2019 to $5.6 billion in 2021. In 2023, false claims against the government exceeded $2.68 billion, with over $1.8 billion attributed to healthcare.

These numbers mean any medical practice is always in danger of being investigated by the government for possible fraud, and anyone working as documentation specialists or with electronic health records (EHRs) can personally be held liable in those cases, according to Robert Liles, JD, MBA, MS, CPC, presenter of “What Is Your Potential Liability if Your Practice Is Investigated?” at HEALTHCON Regional 2024.

So, if your practice takes Medicare, Medicaid, or any other government-run health insurance program, read on to find out what you can do to protect yourself if the unthinkable happens.

Have a Compliance Plan in Place

The best, and most important, proactive thing you can do to protect yourself is to make sure your practice has an effective compliance program in place. If you do, and your practice is found guilty of breaking the law, “you can get a break, you get credit for that, and the government won’t hit you with as big a penalty,” Liles advised. For example, since 1992, almost 90 percent of the 5,000 organizations prosecuted did not have any compliance or ethics program, but the 11 of those that did have an effective program received a sentencing reduction.

Turn Yourself In!

If you do find a problem, the best thing you can do is fix it, report it, and pay back any money you owe, according to Liles. Because, if the government comes in and they find the problem, you’ll be a lot worse off. “You will be caught, Lisles cautioned. “It may take five years or six years, but they will catch you.”

Understand the Current Risk Areas

Lisles then outlined a number of recently prosecuted cases to illustrate the kinds of pitfalls your practice should avoid. They included:

• Billing for services that were either more serious than, or entirely different from, those performed
• Billing for services that never took place
• Billing using false diagnosis codes
• Billing under false national provider identifiers (NPIs)
• Billing for services rendered by non-credentialed providers
• Billing under false provider signatures
• Billing incident-to services when the physician was not present
• Billing using higher evaluation and management (E/M) codes than the service rendered justified

Lisles also noted a number of common electronic health record (EHR) issues that resulted in prosecutions. They involved such cases as documentation that failed to support medical necessity, missing medical treatment plans or consent forms, and retroactive entries in the EHR that were not clearly noted or signed as corrections or addendums.

All of these problems can be avoided by careful review of a state’s medical practice act and any requirements set out in appropriate national or local coverage determinations (NCDs and LCDs), according to Lisles.

Don’t Forget HIPAA Breaches

Lisles also pointed out that the Office of Civil Rights (OCR) is aggressively pursuing enforcement actions in another risk area: HIPAA breaches and violations. What makes this especially hard for practices is the definition of harm currently being used by the OCR, which is extremely vague. Under the HITECH Act of 2009, the OCR can enforce appropriate penalties based on the nature and extent of the violation and the harm resulting on the individual resulting from the violation, but the Act does not define harm or provide direction for defining it, according to Lisles.

With the stakes so high, and the guidance so low, this is another powerful argument for your practice to put a robust and effective compliance program in place.

Know Your Rights

Lisles concluded with some practical tips for you to follow in the unlikely, but not impossible, event that you are investigated for possible violations of the various healthcare laws.

Should a federal agent ask you to answer questions, you should evaluate how to respond. If the agent says they wish to obtain background information, you should probably answer them as “there is a very good chance the agent already knows the answers as the government may have been investigating your case for months or even years,” Lisles pointed out.

However, that does not mean you should answer every question the agent asks. You should invoke your fifth Amendment right to remain silent and speak to your attorney before going any further than answering questions about specific information. You should also make sure you refresh your memory of the facts and closely review the medical record being investigated before providing any answers.

Most important, you should tell the truth, as lies and even half-truths can result in you being charged with making a materially false statement to the government. Doing so can result in a harsh punishment; in one recent case, a defendant was sentenced to five years in prison and a fine of $250,000. That’s something you can ill afford.

The Bottom Line

Ultimately, it’s important to understand your own personal culpability as a documentation specialist in fraud and HIPAA breaches. Lisles emphasized that if you suspect your practice has engaged in wrongdoing, you have an obligation to report the issue to your practice’s management or compliance officer and to law enforcement in cases where your organization has blatantly engaged in fraudulent practice. At the very least, Lisles noted, you should document your own personal efforts to comply with government regulations.

Bruce Pegg, BA, MA, CPC, CFPC, Managing Editor, AAPC